b'                                     SOCIAL SECURITY\nMEMORANDUM\n\nDate:   August 13, 2004                                                               Refer To:\n\nTo:     The Commissioner\n\nFrom:   Acting Inspector General\n\nSubject: Performance Indicator Audit: Management Information Systems Development and\n        Protection (A-15-04-14071)\n\n\n        We contracted with PricewaterhouseCoopers, LLP (PwC) to evaluate 16 of the Social\n        Security Administration\xe2\x80\x99s performance indicators established to comply with the\n        Government Performance and Results Act. The attached final report presents the\n        results of three of the performance indicators PwC reviewed. For each performance\n        indicator included in this audit, PwC\xe2\x80\x99s objectives were to:\n           \xe2\x80\xa2   Test critical controls over the data generation and calculation processes for the\n               specific performance indicator,\n           \xe2\x80\xa2   Assess the overall adequacy, accuracy, reasonableness, completeness, and\n               consistency of the performance indicator and supporting data, and\n           \xe2\x80\xa2   Determine if each performance indicator provides meaningful measurement of\n               the program and the achievement of its stated objectives.\n\n        This report contains the results of the audit for the following indicators:\n\n           \xe2\x80\xa2   Maintain zero outside infiltrations of Social Security Administration\xe2\x80\x99s\n               programmatic mainframes,\n           \xe2\x80\xa2   By 2005, substantially complete the most significant projects in the Social\n               Security Unified Measurement System and Managerial Cost Accountability\n               System Plan, and complete the plan by the end of 2008, and\n           \xe2\x80\xa2   Milestones in developing new performance management systems.\n\n        Please provide within 60 days a corrective action plan that addresses each\n        recommendation. If you wish to discuss the final report, please call me or have your\n        staff contact Steven L. Schaeffer, Assistant Inspector General for Audit, at\n        (410) 965-9700.\n\n\n\n                                                          S\n                                                          Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n        Attachment\n\x0c           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n     Performance Indicator Audit:\n    Management Information Systems\n      Development and Protection\n\n\n    August 2004      A-15-04-14071\n\n\n\n\nAUDIT REPORT\n\x0c                                     Mission\n\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                    Authority\n\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                      Vision\n\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0cMEMORANDUM\n\nDate:     July 27, 2004\n\nTo:       Acting Inspector General\n\nFrom:     PricewaterhouseCoopers LLP\n\nSubject: Performance Indicator Audit: Management Information Systems Development\n          and Protection (A-15-04-14071)\n\n\nThe Government Performance and Results Act (GPRA)1 of 1993 requires the Social\nSecurity Administration (SSA) to develop performance indicators that assess the\nrelevant service levels and outcomes of each program activity.2 GPRA also calls for a\ndescription of the means employed to verify and validate the measured values used to\nreport on program performance.3\n\nOBJECTIVE\n\nFor each performance indicator included in this audit, our objectives were to:\n\n          1. Test critical controls over the data generation and calculation processes for\n             the specific performance indicator.\n\n          2. Assess the overall adequacy, accuracy, reasonableness, completeness, and\n             consistency of the performance indicator and supporting data.\n\n          3. Determine if each performance indicator provides meaningful measurement\n             of the program and the achievement of its stated objectives.\n\n\n\n\n1\n    Public Law No. 103-62, 107 Stat. 285.\n2\n    31 United States Code (U.S.C.) 1115(a)(4).\n3\n    31 U.S.C. 1115(a)(6).\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   1\n\x0cWe audited the following performance indicators as stated in SSA\xe2\x80\x99s Fiscal Year\n(FY) 2003 Performance and Accountability Report (PAR):\n\n    Performance Indicator                  FY 2003 Goal                  FY 2003 Reported\n                                                                                Results\n    Maintain zero outside           Zero Infiltrations                 Zero Infiltrations\n    infiltrations of SSA\xe2\x80\x99s\n    programmatic\n    mainframes.\n    By 2005, substantially          Refer to page 5 for FY             SSA substantially\n    complete the most               2003 goal.                         completed the most\n    significant projects in the                                        significant projects in\n    Social Security Unified                                            SUMS and MCAS.\n    Measurement System\n    (SUMS) and Managerial\n    Cost Accountability\n    System (MCAS) Plan,\n    and complete the plan\n    by the end of 2008.\n    Milestones in Developing        Implement new Senior               Implemented a new SES\n    New Performance                 Executive Service (SES)            system.\n    Management Systems.             system.\n\nBACKGROUND\n\nSSA Information Systems\n\nSSA has a complex computing environment that includes mainframe systems and\nUNIX, AS/400 and Windows servers. SSA also maintains over 60 firewalls and over\n50,000 workstations. SSA uses these systems, including distributed systems that\nsupport the Agency\xe2\x80\x99s vast field office structure, to pay over $500 billion annually in\nbenefits to approximately 51 million beneficiaries across the country. SSA maintains\n5 mainframes logically partitioned into 21 system images with approximately 9 terabytes\nof data to process over 21 million transactions daily. The Agency operates the z/OS\nmainframe operating system, and uses Top Secret as their security software.\n\nSUMS/MCAS Project\n\nSSA\xe2\x80\x99s systems allow routine assessment of performance and financial information that\nmanagers can use to make day-to-day decisions. SSA will continue to enhance these\nsystems over the next few years with the SUMS and MCAS initiatives.4\n\n\n\n\n4\n    Social Security Administration Performance and Accountability Report Fiscal Year 2003, page 25.\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   2\n\x0cPerformance Management System\n\nIn FY 2003, SSA introduced a new performance management system for employees as\npart of an overall strategy to distinguish between levels of performance. This system\nwas developed in October 2002 and is being implemented beginning with SES\nemployees.\n\nRESULTS OF REVIEW\n\nMaintain zero outside infiltrations of SSA\xe2\x80\x99s programmatic mainframes\n\n          FY 2003 Goal: Zero infiltrations.\n          Actual FY 2003 Performance: Zero infiltrations.\n          SSA met its goal.5\n\nIndicator Background\nA Plan\nSSA maintains an Intrusion Protection Team (IPT) that was specifically designed to\nprevent external infiltrations of systems. The IPT uses numerous software tools to\nimmediately detect attempts to infiltrate SSA\xe2\x80\x99s network and underlying systems.\nAdditionally, software controls at all levels of SSA systems are used to prevent\nunauthorized access to SSA systems.\n\nSSA created this performance indicator to document the Agency\xe2\x80\x99s success in protecting\nthe mainframe computers, on which SSA\xe2\x80\x99s sensitive programmatic data resides.\nAccording to SSA security management, the indicator is intended to measure\ninfiltrations from outside of SSA, and not infiltrations from authorized internal users who\nmanage to elevate their privileges and perform unauthorized actions. Additionally, the\nindicator is intended to only measure infiltrations of the mainframe computers.\nInfiltrations that are related to non-mainframe systems, including SSA\xe2\x80\x99s Intranet,\nnetwork, and distributed systems are excluded for reporting purposes within this\nindicator.\n\nFindings\n\nThe intent of the indicator is to provide a picture of SSA\xe2\x80\x99s success in preventing\nmainframe infiltrations. We believe this is an important goal and its success is very\nrelevant to the Agency. It is not possible to state that undetected infiltrations did not\noccur. Therefore the Agency cannot completely measure or fully assert that an outside\ninfiltration has not occurred. We believe that the indicator \xe2\x80\x9cActual FY 2003\nPerformance\xe2\x80\x9d results should be enhanced as follows:\n\n          Zero outside infiltrations of SSA\xe2\x80\x99s programmatic mainframes were detected.\n\n5\n    Ibid, page 86.\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   3\n\x0cWe noted a number of inconsistencies in the descriptions of the indicator. Based on the\ntitle of the indicator, internal infiltrations would not be included in the calculation of this\nindicator; however, the definition, as described in the FY 2003 PAR, is unclear with\nregard to inclusion of internal infiltrations:\n\n          \xe2\x80\x9cThe goal is to prevent any unauthorized access and/or alteration of critical data\n          that would result in improper disclosure, incorrect information or lack of data\n          availability. An infiltration is an unauthorized access that requires a cleanup or\n          restoration of back-up files to a state prior to the infiltration. This would include\n          an authorized user who obtains elevated privileges and performs unauthorized\n          actions resulting in infiltration.\xe2\x80\x9d6 (emphasis added)\n\nSSA management should reconsider the data definition that unauthorized access to\nSSA\xe2\x80\x99s mainframes is not considered an infiltration unless the unauthorized action\nresults in the need for SSA systems personnel to perform clean-up or restoration\nactivities. We believe that the definition too narrowly defines a mainframe infiltration\nand could omit important events such as unauthorized access which results in\ndisclosure of sensitive SSA information or misuse of copied data that occurs but does\nnot require cleanup or restoration activities. Additionally, the indicator excludes\ninfiltrations of SSA\xe2\x80\x99s Intranet, network and distributed systems which maintain important\nAgency information.\n\nSSA management should provide a clear statement of how preventing outside\ninfiltrations of the mainframe relates to the Agency goal of \xe2\x80\x9cTo ensure superior\nStewardship of Social Security programs and resources,\xe2\x80\x9d7 or the Agency objective of\n\xe2\x80\x9cEfficiently manage Agency finances and assets, and effectively link resources to\nperformance outcomes.\xe2\x80\x9d8 Although, as previously stated, the prevention of outside\ninfiltrations is an important goal and clearly valuable to SSA, SSA should provide a clear\nlink between this indicator and the overall strategic goal and objective to which it is\naligned in the FY 2003 PAR.\n\nWe also noted the need for SSA to formally document policies and procedures for\nreporting mainframe infiltrations by all systems departments to the Office of Strategic\nManagement.\n\nFinally, we noted that the FY 2003 PAR makes reference to red teams as part of the\nAgency\xe2\x80\x99s overall strategy for protecting the mainframe from infiltrations; however, during\ninterviews with senior SSA security management, we were informed that the red teams\nwere never implemented by the Agency.\n\n\n6\n    Ibid, page 87.\n7\n    Ibid, page 78.\n8\n    Ibid, page 84.\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   4\n\x0cSubstantially Complete the Most Significant Projects in the SUMS and MCAS Plan\n\n          FY 2003 Goal:\n\n          SUMS\n          1. Use of the SUMS Title XVI Post-eligibility Operational Data Store (PEODS)\n             and SUMS Work Measurement Data Warehouse (WMDW) as the sole source\n             of Agency information for managing the redeterminations and limited issue\n             workloads. Complete corrections to the cases in the data warehouse.\n          2. Complete the first stage of the national rollout of the Customer Service\n             Record (CSR) through the Visitor Intake Process (VIP) system in SSA field\n             offices. The Customer Service Query (CSQ) will contain an extract of data\n             from eight databases and will be displayed in VIP.\n          3. Data contained in the Title II Integrated Workload Management System\n             (IWMS) will be moved to the Title II Operational Data Store (ODS) and will be\n             the basis for the new processing time reports and SUMS counts.\n          4. Data on Title XVI Initial Claims processing time from the SSI Claims Report\n             (SSICR) will be moved to the WMW and accessed from the Common Front\n             End to provide web-based processing time reports.\n\n          MCAS\n          5. Cost Analysis System (CAS) Renovation \xe2\x80\x93 Office of Hearings and Appeals\n             (OHA) Work Counts: Release 7 of the CAS Renovation project under the\n             umbrella MCAS project will substantially automate the manual processes\n             currently used to compute basic workload count and work time by workload\n             information for the OHA and to enter that data to SSA\xe2\x80\x99s CAS. This project will\n             reduce the time and effort required to produce these data and will enhance\n             the accuracy and integrity of SSA\xe2\x80\x99s managerial cost accounting processes.\n          6. Complete Vision and Scope Document for Time Allocation. This document\n             will complete the user planning and analysis phase of the Time Allocation\n             project and will provide the basis for development of detailed requirements\n             and project plans for time allocation.\n\n          Actual FY 2003 Performance: SSA substantially completed the most significant\n          projects in SUMS and MCAS.\n\n          SSA met its goal.9\n\nIndicator Background\n\nThe SUMS/MCAS performance indicator is comprised of six subprojects, which are\nintended to report the Agency\'s progress against predefined milestones related to the\nSUMS and MCAS enhancements. The SUMS and MCAS subprojects are related to\nautomating the process of reporting the Agency\xe2\x80\x99s workloads to provide more efficient,\n\n\n9\n    Ibid, page 87.\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   5\n\x0ctimely and accurate cost data for the Agency. These improvements should enable SSA\nto more effectively link their resources to costs and performance.\n\nFindings\n\nWe believe that the indicator is generally adequate and provides valuable information\nrelative to achieving enhancements in future reporting of workloads and time allocation;\nhowever, SSA could enhance the disclosures in the PAR. SSA management should\nprovide a clear statement of how completion of the plan directly relates to the\nachievement of the Agency\xe2\x80\x99s strategic objective \xe2\x80\x9cEfficiently manage Agency finances\nand assets, and effectively link resources to performance outcomes\xe2\x80\x9d10 and the strategic\ngoal \xe2\x80\x9cTo ensure superior Stewardship of Social Security programs and resources.\xe2\x80\x9d11\nAlthough implementation of the systems enhances the Agency\xe2\x80\x99s workload, cost and\ntime allocation data, SSA should provide a clear statement of how the data from the\nnew systems will be used to achieve the overall strategic goal and objective to which it\nis aligned in the FY 2003 PAR.\n\nSSA should also clearly state how the completion of the subprojects will enable the\nAgency to complete the most significant projects in the SUMS and MCAS plan by 2005,\nor complete the entire plan by 2008. The indicator does not identify the previously\ncompleted projects or the projects that remain outstanding. Additionally, the indicator\nprovides no context for why these six projects were identified as milestones for FY 2003\nor why they were deemed the most significant projects in the SUMS and MCAS Plan.\n\nMilestones in Developing New Performance Management Systems\n\n           FY 2003 Goal: Implement new Senior Executive Service system.\n           Actual FY 2003 Performance: Implemented a new SES system.\n           SSA met its goal. The five-tier Senior Executive Service (SES) performance\n           management system was implemented on October 1, 2002.12\n\nIndicator Background\n\nThe FY 2003 evaluation cycle required all SES employees to complete appraisals\nfollowing the new performance management process. The five rating levels as\ndocumented in the performance management system are:\n\n           \xe2\x80\xa2   Outstanding: Consistently superior; significantly exceeds expectations of\n               the Fully Successful performance standard.\n\n\n10\n     Ibid, page 84.\n11\n     Ibid, page 78.\n12\n     Ibid, page 90.\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   6\n\x0c           \xe2\x80\xa2   Excellent: Consistently exceeds expectations of the Fully Successful\n               performance standard.\n           \xe2\x80\xa2   Fully Successful: Consistently meets performance expectations.\n           \xe2\x80\xa2   Minimally Satisfactory: Marginally acceptable, needs improvement,\n               occasionally less than Fully Successful performance.\n           \xe2\x80\xa2   Unsatisfactory: Undeniably unacceptable; generally less than Fully\n               Successful performance.\n\nThis indicator is linked to the strategic objective of \xe2\x80\x9cRecruit, develop and retain a high-\nperforming workforce.\xe2\x80\x9d13 Implementation of a new performance management system is\nconsidered a critical part of SSA\xe2\x80\x99s Future Workforce Transition Plan (FWTP) to better\nmanage and align SSA human capital in support of SSA\xe2\x80\x99s mission.\n\nThe implementation of a new performance management system for the SES employees\nhas received significant support from the Commissioner, Deputy Commissioners,\nPerformance Review Board and Executive Resources Board. Employees received\nguidance on developing and processing performance plans in areas such as conducting\nprogress reviews, rating executives, procedures for non-standard situations, and using\nthe performance management system as a decision making tool.\n\nFindings\n\nWe believe that this indicator is generally adequate; however, some improvements\ncould be made. This indicator captures the Agency\'s progress against predefined\nmilestones for implementing the performance management system. However, the\nindicator does not measure the effectiveness of the new system in differentiating the\nperformance of the workforce. The FY 2003 PAR fails to clearly explain how\nimplementing a new performance management system for SES employees relates to\nthe Agency goal \xe2\x80\x9cTo strategically manage and align staff to support SSA\xe2\x80\x99s mission,\xe2\x80\x9d14 or\nthe Agency objective to \xe2\x80\x9cRecruit, develop and retain a high-performing workforce.\xe2\x80\x9d15\n\n\n\n\n13\n     Ibid, page 89.\n14\n     Ibid, page 89.\n15\n     Ibid, page 89.\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   7\n\x0cRECOMMENDATIONS\nWe recommend SSA:\n\n    1. Articulate and disclose the linkage of the performance indicators to the Agency\xe2\x80\x99s\n       strategic goals and objectives.\n    2. Maintain documentation that describes why the performance indicator goals were\n       established.\n    3. Document the policies and procedures used to prepare and disclose the results\n       of the performance indicators.\n\nSpecific to the performance indicator, \xe2\x80\x9cMaintain Zero Outside Infiltrations of SSA\xe2\x80\x99s\nProgrammatic Mainframes,\xe2\x80\x9d we recommend SSA:\n\n    4. Revise the performance indicator results to clarify that it measures only detected\n       infiltrations.\n    5. Ensure that the performance indicator definitions are meaningful, complete, and\n       consistent with the title.\n\nAGENCY COMMENTS\nSSA generally agreed with the recommendations in this report. Specific to\nRecommendation 4, SSA will change the data definition for the performance indicator\n\xe2\x80\x9cMaintain Zero Outside Infiltrations of SSA\xe2\x80\x99s Programmatic Mainframes\xe2\x80\x9d to clarify the\npotential sources of infiltrations. However, SSA stated that the title of this performance\nindicator will remain the same. The full text of SSA\xe2\x80\x99s comments can be found in\nAppendix D.\n\nPwC RESPONSE\nWe believe SSA\xe2\x80\x99s proposed actions will strengthen the performance indicator reporting\nprocess. As such we encourage the Agency to move forward with its corrective actions.\n\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   8\n\x0c                                            Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Process Flowcharts\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)\n\x0c                                                                                          Appendix A\n\nAcronyms\n CAS                   Cost Analysis System\n CSO                   Chief Security Officer\n CSQ                   Customer Service Query\n CSR                   Customer Service Record\n DIODS                 Disability ODS\n EMODS                 Earnings ODS\n FedCIRC               Federal Computer Incident Response Center\n FWTP                  Future Workforce Transition Plan\n FY                    Fiscal Year\n GPRA                  Government Performance and Results Act\n IBM                   International Business Machines\n IPT                   Intrusion Protection Team\n IWMS                  Integrated Workload Management System\n MCAS                  Managerial Cost Accountability System\n ODS                   Operational Data Store\n OHA                   Office of Hearings and Appeals\n OHR                   Office of Human Resources\n OPM                   Office of Personnel Management\n OSM                   Office of Strategic Management\n PAR                   Performance and Accountability Report\n PEODS                 Post-eligibility Operational Data Store\n SES                   Senior Executive Service\n SSA                   Social Security Administration\n SSASRT                SSA Security Response Team\n SSICR                 Supplemental Security Income Claims Report\n SUMS                  Social Security Unified Measurement System\n U.S.C.                United States Code\n VIP                   Visitor Intake Process\n VPN                   Virtual Private Network\n WMDW                  Work Measurement Data Warehouse\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)\n\x0c                                                                                          Appendix B\n\nScope and Methodology\nWe first updated our understanding of the Social Security Administration\xe2\x80\x99s (SSA)\nGovernment Performance and Results Act (GPRA) processes. This was completed\nthrough research and inquiry of SSA management. We also requested SSA to provide\nvarious documents regarding the specific programs being measured as well as the\nspecific measurement used to assess the effectiveness and efficiency of the related\nprogram.\n\nThrough inquiry, observation, and other substantive testing including testing of source\ndocumentation, we performed the following as applicable:\n\n      \xe2\x80\xa2   Reviewed prior SSA, Government Accountability Office,1 and other reports\n          related to SSA GPRA performance and related information systems.\n      \xe2\x80\xa2   Met with the appropriate SSA personnel to confirm our understanding of each\n          individual performance indicator.\n      \xe2\x80\xa2   Flowcharted the processes (see Appendix C).\n      \xe2\x80\xa2   Where applicable, we tested key controls related to manual or basic\n          computerized processes (e.g., spreadsheets, databases, etc.).\n      \xe2\x80\xa2   Conducted and evaluated tests of the automated and manual controls within and\n          surrounding each of the critical applications to determine whether the tested\n          controls were adequate to provide and maintain reliable data to be used when\n          measuring the specific indicator.\n      \xe2\x80\xa2   Identified and extracted data elements from relevant systems and obtained\n          source documents for detailed testing selections and analysis.\n      \xe2\x80\xa2   Identified attributes, rules, and assumptions for each defined data element or\n          source document.\n      \xe2\x80\xa2   Tested the adequacy, accuracy, reasonableness, consistency, and completeness\n          of the selection.\n      \xe2\x80\xa2   Recalculated the metric or algorithm of key performance indicators to ensure\n          mathematical accuracy.\n      \xe2\x80\xa2   For those indicators with results that SSA determined using computerized data,\n          we assessed the completeness and accuracy of that data to determine the data\'s\n          reliability.\n\nAs part of this audit, we documented our understanding, as conveyed to us by Agency\npersonnel, of the alignment of the Agency\xe2\x80\x99s mission, goals, objectives, processes, and\nrelated performance indicators. We analyzed how these processes interacted with\nrelated processes within SSA and the existing measurement systems. Our\nunderstanding of the Agency\xe2\x80\x99s mission, goals, objectives, and processes were used to\ndetermine if the performance indicators being used appear to be valid and appropriate\n1\n    Formerly called the General Accounting Office.\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   B-1\n\x0cgiven our understanding of SSA\xe2\x80\x99s mission, goals, objectives and processes. We\nfollowed all performance audit standards.\n\nIn addition to the steps above, we specifically performed the following to test the\nindicators included in this report:\n\nMAINTAIN ZERO OUTSIDE INFILTRATIONS OF SSA\xe2\x80\x99S\nPROGRAMMATIC MAINFRAMES\n    \xe2\x80\xa2   Assessed the reliability of the data by inquiring of appropriate personnel as to the\n        sources of the data included on, and the process for reviewing, the Federal\n        Computer Incident Response Center (FedCIRC) reports.\n    \xe2\x80\xa2   Reviewed the monthly FedCIRC reports for Fiscal Year (FY) 2003.\n    \xe2\x80\xa2   Interviewed various SSA personnel (including the Intrusion Protection Team\n        (IPT), SSA Security Response Team (SSASRT), Chief Security Officer (CSO),\n        Virtual Private Network (VPN) & Modems Administration and Support teams, Top\n        Secret Administrators and Security Officer) responsible for protecting the\n        mainframe to gain an understanding of the tools and processes implemented to\n        protect, monitor and report on SSA\xe2\x80\x99s systems security.\n    \xe2\x80\xa2   Performed (on SSA\xe2\x80\x99s FY 2003 Financial Statement Audit) penetration testing,\n        firewall assessments, mainframe operating system and Top Secret configuration\n        reviews.\n\nSUBSTANTIALLY COMPLETE THE MOST SIGNIFICANT\nPROJECTS IN THE SUMS AND MCAS PLAN\n    \xe2\x80\xa2   Reviewed documentation related to project development, implementation and\n        management activities.\n    \xe2\x80\xa2   Reviewed the projects and found that they were developed in accordance with\n        Agency documentation policies regarding application software development.\n    \xe2\x80\xa2   Reviewed each of the projects and found they were released into production\n        during the timeframe reported in the FY 2003 PAR by obtaining their software\n        release documentation.\n    \xe2\x80\xa2   Reviewed each of the sub-projects and found that they were being used upon\n        implementation by interviewing a selection of end users.\n\nMILESTONES IN DEVELOPING NEW PERFORMANCE\nMANAGEMENT SYSTEMS\n    \xe2\x80\xa2   Reviewed the five-level performance management system and found that it was\n        implemented for Senior Executive Service (SES) personnel in FY 2003 by\n        reviewing the SES Performance Plan/Rating (Form SSA-330 EF-WP).\n    \xe2\x80\xa2   Reviewed President\xe2\x80\x99s Management Agenda requirements.\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   B-2\n\x0c      \xe2\x80\xa2   Reviewed United States Code (U.S.C.) Title 5 criteria regarding SES employee\n          performance appraisal systems and applied such criteria to the performance\n          indicator. 2\n      \xe2\x80\xa2   Assessed the reliability of the data by inquiring of appropriate personnel\n          regarding the implementation of the performance management system.\n      \xe2\x80\xa2   Reviewed the FY 2003 performance appraisals for a selection of SES personnel.\n      \xe2\x80\xa2   Assessed the adequacy of the performance management system and assessed\n          how successfully the indicator supports the Agency\xe2\x80\x99s goals and objectives.\n\n\n\n\n2\n    5 U.S.C. 4311 et. seq.\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   B-3\n\x0c                                                                                                   Appendix C\n\nFlowchart of Maintain Zero Outside Infiltrations of\nSSA\xe2\x80\x99s Programmatic Mainframes\n                                                                                                     No\n                                                                          Is Activity Unusual or\n     Activity Surrounding SSA Systems       Monitoring Activities\n                                                                              Suspicious?\n\n\n\n\n                                                                             Yes\n\n\n\n                                                                                  Alert\n                                                                               Forwarded\n                                                                                 to IPT\n\n                                                                                                             Processed\n                                                                                                           Normally by SSA\n                                                                                                             Computing\n                                                                                                            Environment\n\n\n                                                                            IPT Investigates\n                                                                                 Activity\n\n\n\n\n              Infiltration\n                                                                    Yes                               No\n             Included on                                                    IPT Determines\n                                        Response Activities\n              FedCIRC                                                         Response\n                Report\n\n\n\n\n Management Coordination & Executive\n   Contact Teams Meet Regularly &\n   Discuss Security of SSA Systems\n\n\n\n\n       CSO Reports Activity to\n              OSM\n         on Monthly Basis\n\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)                  C-1\n\x0cMaintain zero outside infiltrations of SSA\xe2\x80\x99s programmatic mainframes\n\n    \xe2\x80\xa2   Activity Surrounding SSA Systems (Including the Firewalls, Internet, Intranet,\n        Network and E-mail).\n    \xe2\x80\xa2   SSA & International Business Machines (IBM) Sensors Monitor Activity.\n    \xe2\x80\xa2   Is Activity Unusual or Suspicious?\n             o Yes - Alert Forwarded to IPT\n             o No - Processed Normally by SSA Computing Environment\n    \xe2\x80\xa2   IPT Investigates Activity.\n    \xe2\x80\xa2   IPT Determines if Mainframe Infiltration Occurred.\n             o Yes - Incident Response Team Alerted & Containment Procedures\n                 Activated\n             o No - Processed Normally by SSA Computing Environment\n    \xe2\x80\xa2   Infiltration Included on FedCIRC Report.\n    \xe2\x80\xa2   Management Coordination & Executive Contact Teams Meet Regularly &\n        Discuss Security of SSA Systems (Including VPN & Modem Access, Top Secret,\n        FedCIRC Report).\n    \xe2\x80\xa2   CSO Reports Infiltrations to OSM on Monthly Basis.\n\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   C-2\n\x0cFlowchart of Substantially Complete the Most\nSignificant Projects in the SUMS and MCAS Plan\n                                                                         SUMS / MCAS Business Plan\n                                                                           (Developed in 10/2002)\n\n\n\n\n                                                                                  SUMS / MCAS\n                                                                                   Project Plan\n                                                                                  (Dated 10/4/02)\n\n\n\n\n             Milestones Accomplished Prior to FY2003\n                                                                                                                Milestones Accomplished Prior to FY2003\n       y     SUMS Documentation Website\n       y     Title XVI Post-Eligibility (PE) ODS                                                            y   Earnings ODS (EMODS)\n       y     Work Measurement Data Warehouse (WMDW)                                                         y   Title XVI ODS\n       y     Title II Initial Claims Operational Data Store (ODS)                                           y   Disability ODS (DIODS)\n                                                                                                            y   Fraud ODS\n\n\n\n                                                                       Milestones Completed in FY 2003\n\n\n\n\n       SUMS                         SUMS                                                                    SUMS\n                                                                SUMS                                                                MCAS\n Move Title XVI Initial      Moved Data in Title II                                                  Title XVI PEODS &                                         MCAS\n                                                        Completed 1st Stage                                                    CAS Renovation\n  Claims Processing          IWMS to Title II ODS                                                   WMDW for Managing                                     Completed Vision\n                                                        of National Rollout for                                               Project - Release 7\nfrom SSICR to WMW               for New Time                                                        Redeterminations &                                  and Scope Document\n                                                         CSR Through VIP in                                                    Automated OHA\n   & Accessed from             Reports & SUMS                                                            Limited Issue                                   for Time Allocation\n                                                              SSA FO\xe2\x80\x99s                                                           Work Counts\n Common Front End                   Counts                                                                Workloads\n\n\n\n\n                                     SUMS\n                  According to the Project Plan, the following                                                                         MCAS\n                  milestones will be achieved in FY2004-2005.                                                       According to the Project Plan, the following\n                                                                             Milestones Scheduled\n                                                                                                                    milestones will be achieved in FY2004-2005.\n              y      SUMS Counts Rqmts                                        in FY 2004 - FY 2005\n              y      T2 Initial Claims Phases 2-3                                                               y      Time Allocation Base System\n              y      T16 Initial Claims Phases 2-3                                                              y      Managerial Accounting:\n              y      CDR Phases 1-2-3                                                                                       - CAS Renovation: Release 7, 8, 9\n              y      Redets/LI,                                                                                             - MCAS Reports\n              y      Benefits Recomp Phases 1-2                                                                             - Work Measurement Trans.\n              y      Appeals Phases 1-2                                                                                     - MCAS Rel. 1 - CAS Replacement\n              y      CSR Releases 1-2-3-4                                                                                   - MCAS Rel. 2 - Dist/Allo\n              y      Debt Management Phase 1\n              y      Inquiries Phase 1\n\n\n\n\n                                     SUMS\n                  According to the Project Plan, the following\n                  milestones will be achieved in FY2005-2008.                                                                          MCAS\n                                                                             Milestones Scheduled                   According to the Project Plan, the following\n             y       Debt Management Phase 2                                  in FY 2004 - FY 2005                  milestones will be achieved in FY2005-2008.\n             y       Inquiries Phases 2-3\n             y       Enumeration Phases 1-2                                                                     y      Time Allocation Additional Workloads\n             y       Earnings Phases 1-2                                                                        y      Managerial Accounting\n             y       Rep. Payee Phases 1-2                                                                                  - Strat. & Perf. Plans\n             y       Fraud Phases 1-2                                                                                       - SSA Program Data\n             y       Indirect Work Phases 1-2-3                                                                             - Quality & Accuracy\n             y       Medicare Phases 1-2-3                                                                                  - Budget Form. & Exec. Sys.\n             y       Public Information Phases 1-2-3\n             y       Reimb Wrklds Phases 1-2-3\n\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)                                                                  C-3\n\x0cSubstantially Complete the Most Significant Projects in the SUMS and MCAS\nPlan\n\n\xe2\x80\xa2   SUMS / MCAS Business Plan (Developed in 10/2002).\n\xe2\x80\xa2   SUMS / MCAS Project Plan (Dated 10/4/02).\n\xe2\x80\xa2   Milestones Accomplished Prior to Fiscal Year (FY) 2003.\n       o SUMS Documentation Website\n       o Title XVI Post-Eligibility (PE) ODS\n       o Work Measurement Data Warehouse (WMDW)\n       o Title II Initial Claims Operational Data Store (ODS)\n       o Title XVI ODS\n       o Disability ODS (DIODS)\n       o Fraud ODS\n       o Earnings ODS (EMODS)\n\xe2\x80\xa2   Milestones Completed in FY 2003.\n       o SUMS\n              \xc2\x83 Move Title XVI Initial Claims Processing from SSICR to WMW &\n                  Accessed from Common Front End\n              \xc2\x83 Moved Data in Title II IWMS to Title II ODS for New Time Reports &\n                  SUMS Counts (See Note)\n              \xc2\x83 Title XVI PEODS & WMDW for Managing Redeterminations & Limited\n                  Issue Workloads\n              \xc2\x83 Completed 1st Stage of National Rollout for CSR Through VIP in SSA\n                  Field Offices\n       o MCAS\n              \xc2\x83 CAS Renovation Project - Release 7 Automated OHA Work Counts\n              \xc2\x83 Completed Vision and Scope Document for Time Allocation\n\xe2\x80\xa2   Milestones Scheduled in FY 2004 \xe2\x80\x93 FY 2005.\n       o SUMS - According to the Project Plan, the following milestones will be\n           achieved in FY 2004 \xe2\x80\x93 FY 2005.\n              \xc2\x83 SUMS Counts Rqmts\n              \xc2\x83 T2 Initial Claims Phases\n              \xc2\x83 T16 Initial Claims Phases\n              \xc2\x83 CDR Phases\n              \xc2\x83 Redeterminations/Limited Issue Workloads,\n              \xc2\x83 Benefits Recomputation Phases\n              \xc2\x83 Appeals Phases\n              \xc2\x83 CSR Releases\n              \xc2\x83 Debt Management Phases\n              \xc2\x83 Inquiries Phases\n       o MCAS - According to the Project Plan, the following milestones will be\n           achieved in FY 2004 \xe2\x80\x93 FY 2005.\n              \xc2\x83 Time Allocation Base System\n              \xc2\x83 Managerial Accounting:\n                       \xe2\x80\xa2 CAS Renovation: Release 7, 8, 9\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   C-4\n\x0c                     \xe2\x80\xa2 MCAS Reports\n                     \xe2\x80\xa2 Work Measurement Trans.\n                     \xe2\x80\xa2 MCAS Rel. 1 - CAS Replacement\n                     \xe2\x80\xa2 MCAS Rel. 2 - Dist/Allo\n\xe2\x80\xa2   Milestones Scheduled in FY2005-FY2008.\n       o SUMS - According to the Project Plan, the following milestones will be\n           achieved in FY 2005 \xe2\x80\x93 FY 2008.\n              \xc2\x83 Debt Management Phase\n              \xc2\x83 Inquiries Phases\n              \xc2\x83 Enumeration Phase\n              \xc2\x83 Earnings Phases\n              \xc2\x83 Representative Payee Phases\n              \xc2\x83 Fraud Phases\n              \xc2\x83 Indirect Work Phases\n              \xc2\x83 Medicare Phases\n              \xc2\x83 Public Information Phases\n              \xc2\x83 Reimbursable Workload Phases\n       o MCAS - According to the Project Plan, the following milestones will be\n           achieved in FY2005-2008.\n              \xc2\x83 Time Allocation Additional Workloads\n              \xc2\x83 Managerial Accounting\n                     \xe2\x80\xa2 Strat. & Perf. Plans\n                     \xe2\x80\xa2 SSA Program Data\n                     \xe2\x80\xa2 Quality & Accuracy\n                     \xe2\x80\xa2 Budget Formulation & Execution System\n\xe2\x80\xa2   Note: This milestone was completed on 10/24/03 (after closure of FY 2003).\n\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   C-5\n\x0cFlowchart of Milestones in Developing New\nPerformance Management Systems\n                                       Title 5 US Code / President\xe2\x80\x99s\n                                            Management Agenda\n                                               Requirements 1\n\n\n\n\n                                         OHR Restructures SES\n                                        Performance Management\n                                        System to Include 5 Levels\n\n                                                                       No\n\n\n\n                                          Commissioner / OPM\n                                              Approval\n\n\n\n                                                        Yes\n\n                                            Restructured SES\n                                        Performance Management\n                                        System rolled out 10/1/02\n\n\n\n\n                                        Employee/Supervisor Set\n                                          Annual Performance\n                                              Objectives\n\n\n\n\n                                           Mid-Cycle Review /\n                                          Ongoing Discussions\n\n\n\n\n                                          Employee/Supervisor\n                                           Complete Appraisal\n\n\n\n\n                                           Performance Review\n                                             Board Reviews /\n                                           Recommends Final\n                                           Appraisal Summary\n                                                  Rating\n\n\n\n\n                                         Commissioner Assigns\n                                        Final Appraisal Summary\n                                                 Rating\n\n\n\n\n                                               Appraisal is\n                                                finalized\n\n\n\n\n1\n    5 U.S.C. Section 4311.\n\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   C-6\n\x0c    Milestones in Developing New Performance Management Systems\n\n    \xe2\x80\xa2   Title 5 United States Code / President\xe2\x80\x99s Management Agenda Requirements.\n    \xe2\x80\xa2   Office of Human Resources (OHR) Restructures SES Performance Management\n        System to Include 5 Levels.\n    \xe2\x80\xa2   Commissioner / Office of Personnel Management (OPM) Approval.\n            o Yes - Restructured SES Performance Management System rolled out\n                10/1/02\n            o No - OHR Restructures SES Performance Management System to Include\n                5 Levels\n    \xe2\x80\xa2   Employee/Supervisor Set Annual Performance Objectives.\n    \xe2\x80\xa2   Mid-Cycle Review / On-going Discussions.\n    \xe2\x80\xa2   Employee/Supervisor Complete Appraisal.\n    \xe2\x80\xa2   Performance Review Board Reviews /Recommends Final Appraisal Summary\n        Rating.\n    \xe2\x80\xa2   Commissioner Assigns Final Appraisal Summary Rating.\n    \xe2\x80\xa2   Appraisal is finalized.\n\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   C-7\n\x0c                                                                                          Appendix D\nAgency Comments\n\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)\n\x0c                                               SOCIAL SECURITY\n\nMEMORANDUM                                                                                     33296-24-1159\n\nDate:      July 14, 2004                                                                      Refer To: S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Acting Inspector General\nFrom:      Larry W. Dye         /s/\n           Chief of Staff\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cPerformance Indicator Audit:\n           Management Information Systems Development and Protection\xe2\x80\x9d (A-15-04-14071)\xe2\x80\x94\n           INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report are\n           attached.\n\n           If you have any questions, you may contact Candace Skurnik, Director of the Audit Management\n           and Liaison Staff, at extension 54636.\n\n           Attachment\n\n\n\n\n           Performance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT,\n\xe2\x80\x9cPERFORMANCE INDICATOR AUDIT: MANAGEMENT INFORMATION SYSTEMS\nDEVELOPMENT AND PROTECTION (A-15-04-14071)\n\nThank you for the opportunity to review and provide comments on this OIG draft report. We find\nthe report useful in our ongoing efforts to improve strategic and performance management at the\nSocial Security Administration (SSA).\n\nRecommendation 1\n\nArticulate and disclose the linkage of the performance indicators to the Agency\'s strategic goals and\nobjectives.\n\nComment\n\nWe concur. The SSA Office of the Chief Strategic Officer (OCSO) is currently developing the\nfiscal year (FY) 2005/2006 Agency Performance Plan (APP) and will ask every sponsoring SSA\ncomponent to improve the documentation linking performance indicators to Agency strategic\ngoals and objectives. Our future performance plans will include a narrative explanation of the\nlinkage between performance measures, targets and the Agency\'s strategic goals and objectives.\n\nRecommendation 2\n\nMaintain documentation that describes why the performance indicator goals were established.\n\nComment\n\nWe concur with this recommendation. Maintaining documentation of this nature has always\nbeen part of our standard operating procedure. OCSO has asked the Agency\'s planning\nrepresentatives and data sources to enhance maintenance of documentation relating to\nperformance indicator goals. We will modify SSA\'s Performance and Accountability Report\n(PAR) to include this information for the key performance measures.\n\nRecommendation 3\n\nDocument the policies and procedures used to prepare and disclose the results of the performance\nindicators.\n\n\nComment\n\nWe agree. In conjunction with development of the FY 2005/2006 APP, OCSO will issue a\nreminder to SSA sponsoring components concerning the requirement to document policies and\nprocedures used to prepare and disclose the results of performance indicators.\n\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   D-2\n\x0cRecommendations specific to performance indicator, \xe2\x80\x9cMaintain Zero Outside Infiltrations of SSA\'s\nProgrammatic Mainframes\xe2\x80\x9d:\n\nRecommendation 4\n\nRevise the performance indicator results to clarify that it measures only detected infiltrations.\n\nComment\n\nSince all the measures included in the PAR are based upon the information available to the\nAgency, we believe it is implicit that this particular performance indicator relates to detected\ninfiltrations only. We have changed the data definition for this performance indicator effective\nwith the FY 2005/2006 APP to clarify the potential sources of infiltrations. The title of the\nperformance indicator (\xe2\x80\x9cMaintain Zero Outside Infiltrations of SSA\xe2\x80\x99s Programmatic\nMainframes\xe2\x80\x9d) will remain the same.\n\nRecommendation 5\n\nEnsure that the performance indicator definitions are meaningful, complete, and consistent with the\ntitle.\n\nComment\n\nWe agree, and will review performance indicator data definitions in a manner consistent with this\nrecommendation as we develop the FY 2005/2006 APP. We have changed the data definition for\nthe "Maintain Zero Outside Infiltrations of SSA\'s Programmatic Mainframes" effective with the FY\n2005/2006 APP.\n\n\n\n\nPerformance Indicator Audit: Management Information Systems Development and Protection (A-15-04-14071)   D-3\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n                   Office of the Chief Counsel to the Inspector General\n\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'